I’m new to Cloudflare. Everything looks very simple but I am confused about SSL.
In the SSL / TLS section, there are edge certificate (universal ssl), client certificate and origin server.
Is Universal SSL a certificate as secure as let’s encrypte? Can I just use this certificate instead of let’s encrypte? Is it enough? Are there any differences? Or can both be used together?
You should definitely use both (Let’s Encrypt & Universal) together. Your server should have SSL/TLS for your site before you add it to Cloudflare in order for it to be secure.
Thank you for the reply. So what exactly is the universal ssl task? Can’t SSL services in Cloudflare take the role of let’s encrypte? (for example origin server or client certificate)
Cloudflare can generate an origin certificate for the server housing a site that’s proxied by Cloudflare. But the proxy server itself also needs a certificate. That’s the Universal SSL certificate.
If I got it right, universal SSL provides encryption between browser and cloudflare, while Let’s encrypte is between server and cloudflare. Cloudflare does not provide any additional protection for let’s encrypte.
Is it correct?
In some sources I read, we had to buy a cloudflare pro plan to use certificates other than cloudflare ssl. Isn’t that necessary to use let’s encrypt?
You can always use Let’s Encrypt on your server. But, if for some reason, you want to use your own certificate on the proxy server for your visitors, you would need a Business Plan. But that’s rarely necessary.
So can I use cloudflare “origin server” certificate instead of let’s encrypt? Do I still need to enable universal ssl for this?
CF origin server certificate and let’s encrypte do the same thing. Is that so?
Hello, I connected my website with cloudflare and created a cloudflare origin ca certificate for my site. I added the certificate from Cpanel.
However, when I checked my site as https, I saw that the certificate was not working. (I checked with sslshopper too.)
Do I need to enable universal ssl as well?
What could be the problem?
Definitely. You need both.
Thank you for the link. So can I never use the origin ca certificate without enabling universal ssl?
There are two different connections that need to be secured. Client to Cloudflare, and Cloudflare to Origin. You need a different certificate for each. Universal works for the first connection, Origin CA for the second.
The Client to Cloudflare connection usually uses the Universal SSL Certificate. In certain situations you might have requirements that are not met by the Universal certificate, and Cloudflare offer Dedicated Certificates, Custom Certificates and ACM Certificates for those situations. But the Universal covers most requirements.
The Cloudflare to Origin needs a different certificate. This can be a cert from a normal Certificate Authority such as Let’s Encrypt, a self signed certificate, or a Cloudflare Origin Certificate. I like to use Let’s Encrypt certs, but Cloudflare Origin certs work well where you don’t want to manage the origin cert for the next 15 years.
Thank you for your informative answer. This has been very useful.
If you don’t mind, I have one more question for you. Yeah, I’m let’s encrypt I chose to use cloudflare origin ca ssl instead. But how should I add subdomains in a single certificate key when creating the origin ssl certificate?
Or should I create a different certificate for my subdomains?
For example, is what I do in the visual correct?
*.example.com, example.com, de.example.com, www.de.example.com
Is there anything else I need to add?
de.example.com would be covered by
*.example.com, so is redundant.
Universal certificates cover the root, and one level of subdomain (
*.example.com). If you plan on using two levels of subdomain (like
www.de.example.com), then the Universal certificate will not work. You can purchase Dedicated or ACM certificates from Cloudflare to do this, or on a Business or Enterprise plan you can upload a Custom certificate. Alternatively, come up with a plan that does not use multiple levels of subdomain (
www.example.com/de/ or just
de.example.com would be common solutions)
I don’t think I need ssl on www.de.example.com but something caught my attention in cpanel;
Here I have some anxiety. Is this important?
Ok, no SSL to www.de.example.com.
So can I use “de.example.com” without any problem? (Free CF CDN and protection + CF Origin CA + Universal SSL) @michael
This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.